Re: GPL applications using Python (OpenSSL issue?)
2011/3/7 Ulrik Sverdrup <firstname.lastname@example.org>:
> Can GPLv3+ applications written in Python exist in Debian main? The
> applications in question do not use an openssl exception.
> Python uses OpenSSL so the moment the application starts, it is linking
> against it too:
> $ objdump -p /usr/bin/python2.6 | grep NEEDED
> NEEDED libpthread.so.0
> NEEDED libdl.so.2
> NEEDED libutil.so.1
> NEEDED libssl.so.0.9.8
> NEEDED libcrypto.so.0.9.8
> NEEDED libz.so.1
> NEEDED libm.so.6
> NEEDED libc.so.6
> In my case I am talking about a GPLv3+ package that exists in Debian --
> Where do I draw the line for using/linking against ssl?
> a) Using Python2.6
> b) Unintentionally introducing _ssl or ssl into the imported modules
> (import any of urllib, httplib, socket etc!)
> c) Unintentionally using ssl (use urllib.urlopen on URL provided by
> user -- if it's https we are using openssl)
> d) Intentionally using ssl (import ssl and use httplib.HTTPSConnection
> and verify certificates)
> Kupfer is today at (c) in the debian archive. It exists in development
> version at (d).
> Clearly (d) has provoked thought but upon investigation I see that
> "import ssl" only triggers "import _ssl" which in turn is an almost
> no-op because _ssl is a built-in module in Python 2.6.
> Is this easier to answer than I think it is?
I don't think this is easy to resolve. It's not the developer's (mine)
issue, it's not the users issue but it's the distributors issue.
FYI, it was briefly discussed on Python-dev:
Of course kupfer (example app) can work without ssl. But the thread
finds another problem, the inavailablity of hashlib (thus md5 and
> But you're also left with not being able to 'import hashlib'. While python has fallback
> code, those modules (_md5, _sha, _sha256, _sha512) aren't built if openssl was found
> at build time. So you can't just select at runtime that you didn't want to use openssl.
> Not being able to import hashlib unfortunately makes urllib2 (and a lot of 3rd party
> packages) fail to import.
md5 and sha1 are used in many desktop programs, for example to locate